samba - Nov 2008 - Domain Admin isn't admin any more

Hi!

We are using Samba 3.0.22 PDC and 2 Samba 3.0.28 BDC with ldapsam based
backend.

Since about one week, the domain admin (admin) has no admin rights on the
XP/2003 machines any more and I don't have an idea why.

Can somebody please help me?

Some tests and configurations:

# id admin
uid=0(root) gid=0(root) Gruppen=0(root),998(ldapadmin)

# net groupmap list
Domain Admins (S-1-5-21-8915387-1074272342-1703228666-512) -> ldapadmin
Domain Users (S-1-5-21-8915387-1074272342-1703228666-513) -> ldapuser


# ldapsearch -x uid=admin
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: uid=admin
# requesting: ALL
#

# Admin, Users, xxxxxxx.ac.at
dn: uid=Admin,ou=Users,dc=xxxxxxxx,dc=ac.at
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
sambaPwdMustChange: 2147483647
sambaLogoffTime: 0
sambaLogonTime: 0
sambaKickoffTime: 0
description:
sambaDomainName: XX_XXX
uid: Admin
cn: Admin
displayName: Admin
sambaSID: S-1-5-21-1992494304-3358384209-1871445459-1000
uidNumber: 0
homeDirectory: /root
loginShell: /bin/false
shadowLastChange: 12529
sambaLogonScript: ver_nsc.cmd
gidNumber: 0
sambaPrimaryGroupSID: S-1-5-21-1992494304-3358384209-1871445459-512
sambaProfilePath: //XX.XX.XX.XX/profiles/Admin
sambaPwdCanChange: 1156912744
sambaPasswordHistory: 
00000000000000000000000000000000000000000000000000000000
 00000000
sambaPwdLastSet: 1156912744
sambaAcctFlags: [U          ]

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

cat /etc/samba/smb.conf

[global]

# NAME SETTINGS
   netbios name = xxxxx
   server string = xxxxx
   workgroup = xxxxx

# SECURITY SETTINGS
   os level = 255
   preferred master = yes
   domain master = yes
   local master = yes
   domain logons = yes
   security = user
   encrypt passwords = yes
#   min passwd length = 6
   announce version = 7
   announce as = NT
   admin users = @"Domain Admins",admin,Admin

# PRINTER SETTINGS
   printing = BSD
   load printers = No
   disable spoolss = Yes
   show add printer wizard = No


# LDAP SETTINGS
   ldap admin dn="uid=Admin,ou=Users,dc=xxxxxx,dc=ac.at"
#   ldap ssl = start_tls
   ldap ssl = no
   passdb backend = ldapsam
   ldap delete dn = no
   ldap user suffix = ou=Users
   ldap group suffix = ou=Groups
   ldap machine suffix = ou=Clients
   ldap suffix = dc=xxxxxxx,dc=ac.at
#   ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
   ldap passwd sync = yes